Configure the identity handling in the public site – Part 4
Like
Share
ReportIn the previous post we setup Azure ACS and we were able to logout and authenticate. But we haven’t configured the return on what we do after the user has been authenticated. This video walks through the setup of handling the return identity.
Below are example sections that I used to edit my web config file as you see in the video. It’s important to note these are specific to SharePoint 2013.
1. Add to the bottom of the SharePoint Group
——
<section name=”ApplicationAuthentication” type=”Microsoft.SharePoint.IdentityModel.ApplicationAuthenticationConfigurationSection, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
——
Example
—————————–
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<configSections>
<sectionGroup name=”SharePoint”>
<section name=”SafeControls” type=”Microsoft.SharePoint.ApplicationRuntime.SafeControlsConfigurationHandler, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”RuntimeFilter” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartLimits” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartWorkItem” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartControls” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”SafeMode” type=”Microsoft.SharePoint.ApplicationRuntime.SafeModeConfigurationHandler, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”MergedActions” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”PeoplePickerWildcards” type=”System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WorkflowServices” type=”Microsoft.SharePoint.Workflow.ServiceConfigurationSection, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”BlobCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”OutputCacheProfiles” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”ObjectCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”MediaAssets” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”ApplicationAuthentication” type=”Microsoft.SharePoint.IdentityModel.ApplicationAuthenticationConfigurationSection, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</sectionGroup>
—————————–
2. Add to section before Dynamics.
——
<section name=”microsoft.identityModel” type=”Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
——
Example
——————————-
<section name=”microsoft.identityModel” type=”Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<sectionGroup name=”Microsoft.Dynamics”>
<section name=”Session” type=”Microsoft.Dynamics.Framework.BusinessConnector.Configuration.SessionConfigurationSection, Microsoft.Dynamics.Framework.BusinessConnector, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<section name=”ServerState” type=”Microsoft.Dynamics.Framework.Portal.Configuration.ServerStateConfigurationSection, Microsoft.Dynamics.Framework.Portal, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<section name=”AppFabricCaching” type=”Microsoft.Dynamics.Framework.Portal.Configuration.AppFabricConfigurationSection, Microsoft.Dynamics.Framework.Portal, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
</sectionGroup>
—————————-
3. Add to bottom of the config file.
——
<microsoft.identityModel>
<service saveBootstrapTokens=”true”>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<audienceUris>
<add value=”http://axr3mavm11/sites/public/Enterprise%20Portal/UserRequestLoginAzure.aspx” />
<add value=”http://axr3mavm11/sites/public/” />
</audienceUris>
<issuerNameRegistry type=”Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<trustedIssuers>
<add thumbprint=”XXXX87097479B56E21B551E3F60C35FFEFXXXXX” name=”http://axr3mavm11″ />
</trustedIssuers>
</issuerNameRegistry>
<issuerTokenResolver type=”Microsoft.SharePoint.IdentityModel.SPIssuerTokenResolver, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlerConfiguration>
<clear />
<add type=”Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<add type=”Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”>
<samlSecurityTokenRequirement>
<nameClaimType value=”http://schemas.microsoft.com/sharepoint/2009/08/claims/userid” />
</samlSecurityTokenRequirement>
</add>
<add type=”Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled=”false” issuer=”https://none” realm=”https://none” />
<cookieHandler mode=”Custom” path=”/” name=”techsFedAuth”>
<customCookieHandler type=”Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</cookieHandler>
</federatedAuthentication>
</service>
</microsoft.identityModel>
——
Example
————————————
<location path=”_layouts/15/dmsdownload.aspx”>
<system.web>
<httpRuntime maxRequestLength=”2097151″ executionTimeout=”3600″ />
</system.web>
</location>
<microsoft.identityModel>
<service saveBootstrapTokens=”true”>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<audienceUris>
<add value=”http://axr3mavm11/sites/public/Enterprise%20Portal/UserRequestLoginAzure.aspx” />
<add value=”http://axr3mavm11/sites/public/” />
</audienceUris>
<issuerNameRegistry type=”Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<trustedIssuers>
<add thumbprint=”XXXX687097479B56E21B551E3F60C35FFEFFXXXX” name=”http://axr3mavm11″ />
</trustedIssuers>
</issuerNameRegistry>
<issuerTokenResolver type=”Microsoft.SharePoint.IdentityModel.SPIssuerTokenResolver, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlerConfiguration>
<clear />
<add type=”Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<add type=”Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”>
<samlSecurityTokenRequirement>
<nameClaimType value=”http://schemas.microsoft.com/sharepoint/2009/08/claims/userid” />
</samlSecurityTokenRequirement>
</add>
<add type=”Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled=”false” issuer=”https://none” realm=”https://none” />
<cookieHandler mode=”Custom” path=”/” name=”techsFedAuth”>
<customCookieHandler type=”Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</cookieHandler>
</federatedAuthentication>
</service>
</microsoft.identityModel>
</configuration>
————————————
In the second half of the video we configured the TrustedRootAuthority to be out Azure ACS namespace. These where the commands we used in that sequence
1. Establish the claims mappings
$claim1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “ACS Name Identifier Claim” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-nameidentifier”
$claim2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider” -IncomingClaimTypeDisplayName “ACS Identity Provider” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-identityprovider”
$claim3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” -IncomingClaimTypeDisplayName “ACS username” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-username”
2. Provide path to the certificate
$acscert = Get-PfxCertificate c:\temp\ACSCertVM6.cer
It’s important that the certificate you are importing here matches the certificate you have used on you Azure ACS setup.
3. Establish the TrustedIdentityTokenIssuer
New-SPTrustedIdentityTokenIssuer -Name “AzureACS” -Description “Azure ACS” -Realm “urn:axr3mavm6:AzureACS” -ImportTrustCertificate $acscert -SignInUrl “https://axr3mavm6.accesscontrol.windows.net/v2/wsfederation” -ClaimsMappings $claim1,$claim2,$claim3 -IdentifierClaim $claim1.InputClaimType
-Name
In this example I used AzureACS. You can use any name but remember what you use as it gets entered into AX in a later step.
-Relam
As you saw in the video the realm I created to match the Relay part I created on ACS.
-SignInUrl
This will need to match your Azure ACS namespace.
4. Load cert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($acscert)
5. Associate Cert with the TrusedRoothAuthority
$spcert = New-SPTrustedRootAuthority -Certificate $cert -Name “ACSTokenSigningCert”
Also in the video I turned on debugging on my web site which is done in this line in the web.config.
<compilation batch=”false” debug=”true”>
Links for Reference
https://technet.microsoft.com/EN-US/library/dn715949.aspx
There are a lot of steps in this one so tread carefully as things like the thumbprint can get extra characters when copy and pasting or lines can get truncated so just check what you have copied and pasted before changing the web.config or executing the command in power shell.
Cheers
Lachlan
Filed under: Infrastructure
*This post is locked for comments